RE: Vulnerability statistics

["Michael Howard" <mikehow () microsoft com>]

Thanks for the follow-up Steven.

> > There are also terminological difficulties that can further bias the
data.  For example, integer overflows are often labeled "buffer
overflows;" where available, we've tried to make this distinction in CVE
descriptions by discussing "integer overflows that lead to buffer
overflows," and doing similar things with other bug types that use
buffer overflow attacks for exploitation (so Michael, double-check your
script ;-) 

My script is really dumb, I hope I made that painfully clear; querying
solely using the English language is always fraught with error :(

A quick re-run shows that:

select count(*) from entry
where (Comment like '%unchecked buffer%' or Comment like '%buffer over%'
or Comment like '%buffer-over%' or Comment like '%bufferover%' or
Comment like '%bounds%') and (Comment like '%integer%')

Returns 25 hits from 2004. 

The other mistake people'll make is format strings and buffer overruns,
and potentially double-free's and BO's. 

Fwiw, I grab your XML file (thanks for creating an XML version, btw)
parse it and slap it in a SQL database for analysis. But if you guys
(CVE) are doing this analysis then I think it would be useful to expose
this to help people like me spot trends.




[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/protect
[Blog] http://blogs.msdn.com/michael_howard

[On-line Security Training]
http://mste/training/offerings.asp?TrainingID=53074


-----Original Message-----
From: Steven M. Christey [mailto:coley () mitre org] 
Sent: Monday, January 10, 2005 5:09 PM
To: webappsec () securityfocus com
Subject: Re: Vulnerability statistics

<snip - to save your inbox>